20. Each of the Intelligence Services is a public authority for this purpose. Thus,
when undertaking any activity that interferes with Art. 8 rights, the
Respondents must (among other things) act proportionately and in accordance
with law. In terms of bulk activity relating to and section 94 of the
Telecommunications Act 1984, the HRA applies at every stage of the process
i.e. authorisation/acquisition, use/access, disclosure, retention and deletion.
21. S. 7(1) of the HRA provides in relevant part:
“A person who claims that a public authority has acted (or proposes to act) in
a way which is made unlawful by section 6(1) may—
(a) bring proceedings against the authority under this Act in the appropriate
court or tribunal ....”
The DPA
22. Each of the Intelligence Services is a data controller (as defined in s. 1(1) of
the DPA) in relation to all the personal data that it holds. “Personal data” is
defined in s.1(1) of the DPA as follows:
“data which relate to a living individual who can be identifiedi. from those data; or
ii. from those data and other information which is in the possession of, or is
likely to come into the possession of the data controller, and includes any
expression of opinion about the individual and any indication of the intentions
of the data controller or any other person in respect of the individual.”
23. Insofar as the obtaining of an item of information by any of the Intelligence
Services amounts to an interference with Art. 8 rights, that item of information
will in general amount to personal data.
24. Consequently as a data controller, the Respondents are in general required by
s. 4(4) of the DPA to comply with the data protection principles in Part I of
Sch. 1 to the DPA. That obligation is subject to ss. 27(1) and 28(1) of the
DPA, which exempt personal data from (among other things) the data
protection principles if the exemption “is required for the purpose of
safeguarding national security”. By s. 28(2) of the DPA, a Minister may
certify that exemption from the data protection principles is so required.
Copies of the ministerial certificates for each of the Intelligence Services are
available on request. Those certificates certify that personal data that are
processed in performance of the Intelligence Services’ functions are exempt
from the first, second and eighth data protection principles (and are also
exempt in part from the sixth data protection principle). Thus the certificates
do not exempt the Intelligence Services from their obligation to comply with
the fifth and seventh data protection principles, which provide:
“5. Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes. …
1 The term “processing” is broadly defined in s. 1(1) of the DPA to include
(among other things), obtaining, recording and using.
42